Security testing: need for a security policy, and a security-critical package process

[Vincent Danen]

* [2009-11-23 19:54:11 -0500] Seth Vidal wrote:

> On Mon, 23 Nov 2009, Matthias Clasen wrote:
>
>> I don't want to ship a desktop that doesn't let the user do useful
>> things.
>
> And you can ship a desktop SPIN that way. But the base pkgs should not  
> install with an insecure set of choices.
>
> if you want the spin to have a post-scriptlet which allows more things,  
> then that's the choice of the desktop sig over the desktop spin.
>
> We should not be forcing the choices for the desktop spin on everyone who 
> installs a pkg in the distribution.

The base system should always be more restrictive and secure.  How hard
is it to have Anaconda ask the user what their typical use-case is?
Home computer, single-user, relax some stuff, install policy A.  Home
computer, multi-user?  Policy B.  Fort Knox?  Policy X.

But these customizations should come post-install, customized via
Anaconda or a package that installs a policy set or something with the
idea that base packages should always have the lowest common denominator
which really has to be ideal security.  Not saying it needs to go to
extremes so the user needs to enter a password to wiggle the mouse, but
there should be some good reasonable secure defaults.

And the user should pretty much have to choose to be less secure.  Don't
make them choose to be _more_ secure.  I don't think anyone will gripe
if they have to check off an extra box to relax system security, but
they're gonna be quite annoyed (as we've seen) if we take away
responsible security practices in the name of convenience.

-- 
Vincent Danen / Red Hat Security Response Team